On Thu, Oct 3, 2019, at 9:15 PM, Alex Perl wrote: > Implemented AD/KRB/SSSD with both RH6 and RH7. > > RH7 no issues, as we are using auto_private_groups that was added to 1.16.1. > > In RH6 the issue ( sssd 1.13 ) is, that all users getting the same > groups and it is a clear security gap. > > The only way to avoid this, based on the KB articles, is to use AD > posix attributes. If we don't waht to use this setup, is there any > other recommended way ? >
In my experience, even with AD POSIX attributes where a GID is assigned to the user, the group name does not resolve without auto_private_groups unless there is an associated an AD group with the same GID. In my example, we assigned uid=gid attributes unique to each user. Probably the best way to close the security gap on RH6 is to enforce a umask of 077. > The example of user/group representation, where all users getting the > same gid=273200513(domain users) : > > id username uid=2755191114(ncircle) gid=273200513(domain users) > groups=273200513(domain users) V/r, James Cassell _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org